-What we've seen in the last 12-24 months in IT security is essentially a boom in the marketplace...but as with any boom market it brings out all comers," Alex Nemeth, MD of managed security service provider (MSSP) Zento, told ZDNet Australia.
According to Nemeth, many organisations are seeing managed security services as a way to get in on the IT action, but are essentially running backyard operations out of a garage and can't truly deliver the 24x7 services required.
-Clients often don't know what to ask for because managed security services (MSS) is still a fairly new and evolving market here in Australia," Nemeth said. -There's a large amount of mystery around IT security and we don't need the snake oil salesman essentially trying to cash in on that industry."
Nemeth's biggest concern for clients is having their security compromised by poor deployment of technology or below-standard services. He also believes these -backyard operators" put clients at a financial risk, with payment up front contracts seeing clients burnt when MSSPs go out of business.
According to a Garter report, which says MSSPs are popping up like dot.coms did in 1999, the MSSP market will grow globally at a compound annual growth rate (CAGR) of 31 percent through 2005, but it also says that like any type of business, 60 percent will fail or move onto other, more lucrative business models.
Nemeth encourages organisations considering outsourcing their security services to use a six-point credential checklist when evaluating potential MSSPs.
Ã,· At least 18 months working capital to support operations
Ã,· Dedicated 24x7x365 Security Operations Centre
Ã,· Technologically advanced and secure data centre infrastructure
Ã,· Industry accredited and experienced IT security staff
Ã,· Multi-vendor support
Ã,· Service Level Agreements guaranteeing the delivery of managed services
"These backyard guys are seeing it [IT security] and saying 'I want a piece of that pie, lets roll the dice and see what happens', but they're putting organisations at commercial risk," Nemeth said.
Vendor accreditation
Although there's no Australian industry body that monitors or endorses MSSPs, vendors such as McAfee, CheckPoint and Trend Micro all claim to have a fairly strict process of due diligence when accrediting security service providers.
Shelly Houghton, MSSP business manager at CheckPoint said she has certainly witnessed "a bit of interest from companies who want to get on the bandwagon".
"Of the ten calls I get a week I probably follow up one of this 10, and nine times out of 10 that company would not become a CheckPoint provider," Houghton said.
Whilst systems integrators and resellers often think this is a new revenue generation field it requires a lot of infrastructure and a huge skillset, Houghton pointed out.
-Because we promote our MSSPs from our Web site, we have to be 100 percent confident they can deliver the services to the end user," Houghton said, adding that she doesn't believe the marketplace could sustain more than five dedicated managed security service providers.
Ray McIntyre, channel sales manager Australia/New Zealand at McAfee agrees that the right infrastructure, at a cost of -multiple hundreds or thousands of dollars" is essential and that unless MSSPs have strong, financial backing they're going to have problems.
"We get more and more inquires every day,' McIntyre said. However, "we typically set the bars very high to make sure those we recruit are in for the long haul," he added.
McAfee currently works with two Australian-based and one New Zealand MSSP.
Telcos, ISPs get with the program
According to McIntyre, telcos and ISPs are an obvious segment to get into providing these services, the issue, he said was whether or not they understand how to sell the service.
-They could make it one string in their bow...but it's still very much the case that you need your feet on the street out their selling the solution," McIntyre said.
Whilst Glenn Miller, of security distributor Janteknology, says that a large percentage of so-called security experts are -duds" he believes there's enough room in the market for teleoms players and he said he welcomes telcos and ISPs into the space -if they get with the program".
-The gateway of the Net is at the telco and ISP level," Miller said. However, when the Code Red and Nimda viruses struck, the telcos were right up there with the worst of them, spreading the virus due to insufficient network protection, he said. -They're all as bad as each other."
-If it means these organisations are getting involved with providing a safer environment, I don't see it as a bad thing," he added.
However, whilst telcos influence a bigger audience, Miller conceded that it's a question of whether they provide the same quality of service as the smaller player.
Telcos wanting a bite of the IT security pie is another concern of Zento's Nemeth, who believes they will use their -one-stop-shop" position as a catalyst to sell more bandwidth.
-Security is not a one-stop-shop solution," Nemeth said. -It requires large amounts of capital, dedicated resources and infrastructure, as well as a 24x7 security operations centre."
Although telcos are usually -good name brands", Nemeth believes they don't have the focus, the skillset, or the actual infrastructure in place to do the job as well as a dedicated MSSP.
-There are less than 10 dedicated MSSPs in the Australian marketplace - probably closer to five saying this is our core focus," Nemeth said. -IT security is something organisations can't afford to get wrong."
MSSP shake-out
Whilst Janteknology's Miller believes there's room in the marketplace for big brand telco players, he concedes that the problem of outsourcing is whether or not those you outsource to are really competent.
"Backyard operators come with the territory...high growth area attracts cowboys," he said.
For this reason, Miller believes organisations should strike a balance between what security services they outsource and what they retain in-house, and should go the extra yards when evaluating MSSPs. -Don't base your decision on the fact that you like the rep," he said.
CheckPoint's Houghton believes that although worldwide there has been a bit of a shakeout in the MSS market, Australia and New Zealand have been slow to adopt the model mainly because -outsourcing has become a dirty word".
-People have been burnt in the past and are shy of it," she said. However, Houghton reiterated Miller's point that not all IT security should be outsourced. Companies should remember, she said, that they're not handing over everything just part of service, namely the management and monitoring of security.
-There's still a lot of education required as to why companies should outsource their security management," she said.
Miller agreed that Australia hasn't seen the same growth in MSSPs as the US has, but says if providers take notice of the shake-up that has happened overseas, some of the pitfalls could be avoided. -However, nature as it is, that's unlikely," he said.
Gartner's report -Surviving the Managed Security Services Shakeout" says that the bottom line is that many organisations will continue to outsource security monitoring functions, creating a true demand for managed security services and a rush of service providers into the market, -most of whom will fail".
